Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"

Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.

I think their problems are on multiple fronts:

Overly complex codeLax permission requirements,Too many admins (still default on workstation installs)Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...

What aspects of the VMS security model is the NT kernel missing? It has ACLs on just about every kernel object. Or did you mean the various security mistakes in Windows that have nothing to do with the kernel that Dave Cutler created? It has always seemed to me that the Windows security problems were from flawed apps running as admin, not the kernel itself.

Most of the WIndows suckage (especially the Win9x stuff) is a direct result of aggressive backwards compatibility, especially WRT security, where MS has never taken a hard line and broken all legacy apps (as it so desparately needs to for that goal). That's what the customers wanted, though - people simply value legacy support over security, or reliability. That's why chip-and-PIN credit cards have so many security flaws too - legacy support. I'm not how that makes anyone a greedy bastard.

So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?

Pfffff.. Yeah, looks like you know a lot more on the subject.

WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.

Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.

But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.

I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".

As Bill Gates once put it, they create software that adds new features. They don't think about big fixes, people don't buy software for big fixes.

So it's the same at 3rd party software companies. They add new features so people buy their software, fixing the software security model isn't something many end users would care about unless you explained what benefits that would provide.

...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it

A user without administrative access cannot install a rootkit.

Sadly,.NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.

It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly. Do you have any examples or sources to back up that claim?

Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary.

It depends on your definition of "rootkit", I suppose. The term has been watered down drastically over the last few years with people using it to describe malware in general. If we take Wikipedia's word then:

A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. [...] Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.

If the installing user does not have administrative rights then it's not possible for a rootkit to gain those rights (failing the requirement of gaining privileged access). A standard user might somehow get a user-mode "rootkit" on the machine, but it will only have access to their files and other us

The rootkit can be so configured (not providing instructions here) that it is effectively hidden from most methods of detection by active user. Killing the process is rather difficult when you know neither the exe name (it can rename itself and hide the binary) nor the PID. Additionally, a program does not need to install itself as a service in order to infect. It can very easily modify user accessible binaries, so that any UAC prompts appear to come from a trusted source.

Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!

Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.

So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with.NET and didn't find anything.

If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft.NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.

As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.

Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was

Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you?

I did read it, and I do understand.

Gee, adding things to the startup folder/registry means it might take what... two boots?

A standard user can only write to HKEY_CURRENT_USER. This key controls only their profile. So yes, malware run as a standard user can be set to run when that specific user logs in. Not upon machine startup.

to fully infect a machine with a piece of malware that has then gained full privileges?

Only if that user has administrative rights. If it was a standard user, then no, the malware did not magically gain more rights than the installing user had. That's why I asked about privilege escalation -- an exploit like that makes the situation much, much worse.

I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges.

Yes, it's common for malware to use existing system services to run. There are several methods from DLL injection, App_Init DLLs, remote thread creation, etc. However, ALL of these require administrative access. A process cannot play with system services unless it has rights to. A standard user cannot inject DLLs, write to shared memory, or do anything else to processes running with SYSTEM access unless the user itself has admin rights.

All it took, on a locked down machine, was a couple reboots.

There's nothing magic about rebooting Windows. Some registry keys aren't processed except at boot-time, but there are MANY ways to infect a machine with malware without rebooting the computer. Of course, these ALL require administrative rights.

So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.

No, they aren't. The results for malware infection via standard user and that via an administrator are drastically different, with the latter being terribly worse. A standard user's infection can be cleaned up in 5-10 minutes with ease. Simply deleting their user profile and creating a new one is the easiest method. Anyone can do it.

A machine that's been infected by somebody with administrative rights may as well be infinitely worse. Without taking the system offline and analyzing the hard drive in a separate computer (or maybe by booting to a different OS), you will never, ever know if the system is clean. Even offline analyzing isn't guaranteed to work unless you know of and can check every single infection vector, a very challenging task. You're almost always better off reinstalling the machine.

For anyone not willing to follow the progress of this thread, here's the summary:
--
RobertM: Malware is taking advantage of.NET escalation exploits.
nmb: Which escalation exploits?
RobertM: The.NET escalation exploits that haven't been fixed in 10 years. <Offers patch details for a fixed.NET vulnerability that allowed code execution on the compromised user account.>
nmb: That wasn't an escalation exploit.
RobertM: You don't need an escalation exploit. The Windows operating system allows any proces

Nice try... I never said an escalation exploit is needed or not needed. My premise was IF it was needed, it could still happen.

Point is, they just fixed one that they think may bypass privileges. Point was, it wasnt the first time. Point is, they have claimed more than once to fix this - and then another piece of malware proves them wrong, and a new patch is released and they claim "ooh, really, we fixed it this time" and another piece of malware comes out.

See list in post below - and then you can dig for more if you are still interested.

c) Infects the machine without any user interaction

I never made such a point. There were ones where all a user had to do was surf to the wrong choice of websites though. That is a form of user interaction. But there was no further interaction needed (such as click a prompt to OK an install, "OK" a UAC box,

Dude. Not one of your citations mentions.NET being vulnerable to anything, they all refer to Windows flaws in native components.

You also don't seem to understand what the firefox plugin is, and i'm scratching my head as this was an issue 2 or 3 *YEARS* ago, and there was no "patch" this summer to address it as you keep claiming.

The firefox plugin was added in the only way that Firefox allowed system-wide plug-ins to be added. Java, and several other plug-ins use the same mechanism.

Dude. Shatter is completely "fixed". It was partially fixed in 2002... years before Vista came out, but that was a patch. Vista eliminates shatter by providing beefed up security for windows messages, and forcing services to run in a different Terminal screen from the interactive user. The article you reference talks about the way Vista addressed the issue.

In other words, Shatter hasn't been an issue since about 2004. Please stop regurgitating 7 10 year old exploits as if they were valid today.

.NET is actually a security success-story. Compared to similar (i.e. Java),.NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.

.NET is actually a security success-story. Compared to similar (i.e. Java),.NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.

SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...

Wouldnt the answer to that last statement be ANY real rootkit? Just curious. Isn't infecting the MBR the way that rootkits bypass such protections? Wouldn't some rootkits then also be able to hose SteadyState's ability to revert the file system back to previous state? Aren't the file system and MBR two different things, even though they work in conjunction?

Just curious, hence the questions instead of statements.

Also, it's a bit disingenuous to simply pick one version of.NET, as systems come with all o

WTF are you prattling on about?.NET insecure? Seriously? Do you even know what you're talking about? You are making vague claims that make little sense. Like calling the Firefox plug-in a security flaw.. It's using the mechanism that Firefox provided for machine wide-plugins. Firefox has since improved on that, but it wasn't MS's fault nor was it a security flaw.

Please, point me to some evidence of any severe unpatched.net flaws or exploits. I don't know of any. I think you are confused and simply

Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

You forgot a few very very important ones:

- Way too much legacy code that was not written with network security in mind

- Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX,.NET Click Once and more)

- NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the ser

That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the.NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).

And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various.NET "technologies" allow

Their problems mostly are that whatever they do, on the OS level, if it's not a "third party developers don't have to do anything", they seem to have to rollback/dilute whatever "Good" was in the offering.

Partly because of the basic multi-user design, partly because of the pre-written unix-based apps, partly because as meaningless as unix 97 and posix are, they do kinda provide enough of a formal api os basis that third parties do not expect to be able to write just anything, has probably more to do with ho

Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre [mitre.org] and CERT [cert.org] for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it,/. even had a vista failure [slashdot.org] tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 [google.com] disaster.

To be fair, there would no doubt be many M$ software engineers and coders know how to produce quality and secure code. It is the M$ marketdroids and bean counters who push it out the door before it is done, or cut out quality modules because it will cost money and not generate extra profits, or dismember features because they were only for marketing purposes or shunt stuff off to the next pretend version so they can sell it as a upgrade.

I'm not familiar enough with the license they chose, but does it guarantee patent protection? The thrust that MS is currently using against FOSS seems to depend on software patents. If they had chosen the GPL, or GPL3, or BSD, or AGPL I would have an idea of what the significance was, but Creative Commons isn't commonly used for FOSS software, so I don't know what that means as far as patents. (WRT copyrights I can make fair guesses, but that's a different matter.)

It doesn't matter how shoddy I think Microsoft products are. The moment I resort to name-calling like Republitard, Democunt, or M$, I take on the mental image of a 5 year old. Everything I said should be dismissed. If I can't stay serious for the 30 seconds it takes to write a post on the Internet, I don't have anything of value to say.

if the thieves are getting past the guards, I would not want to emulate them.
Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure.
The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards.
Who can know?

Most of their problems have been in old code they're undoubtedly afraid to change until it's proven there's actually a vulnerability there. I haven't hard anything to indicate their fresh code produced since adopting their current security process is any more insecure than the stuff produced by the open source world.

Talk I've heard from friends in Microsoft indicate that they're quite paranoid about security, putting strict checks on all levels of development. To mention one small portion of it, C and C++ contain some functions that, if misused, can be easy attack vectors. VC++ has a number of non-standard replacement functions for these that they use that include runtime safety checks. They're warned off the "insecure" functions, and anyone that uses them needs a full rationale written up on why. Needless to say, most coders will have an adjustment!

Actually, even dead-simple basic security like closing ports by default, reducing default services, not including the current working directory in the executable or library search paths, not auto-running anything, reducing app attack surface by turning off embedded format decode by default and a vast many other things are completely off the table at Microsoft. Doing security breaks backward compatibility. It removes popular features, and the fact that the features are in and of themselves the security vul

Isn't it long past time it be updated and possibly the correct one be used?

Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

It would be like used the Edsel to represent Ford, or still using the New Coke logo.

It no longer serves its purpose, and says more about slashdot than Microsoft these days.

I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless.NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo

Oh please! At least Darth Gates was scary, and could do that whole "we'll crush you like a bug" thing real well. Ballmer is like putting the court jester in charge of the kingdom. What you have with Ballmer is "Hey, we can be like Apple and make cool stuff! Yes we can! We really can! STOP LAUGHING AT ME!!!!"

The whole EEE thing was Gates, Gates may have been a bastard but he, like Jobs and Ellison, was a tough bastard that played to win. The Ballmer monkey just flops from one idea to another and doesn't dese

A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.

Thanks, I think you and most here at/. if they were to really look at the way MSFT was run under Darth Gates (such as using IE to crush Netscape, after stealing IE with a sneaky contract. Classic badness) VS how it has been run under Ballmer (RRoD, Zune, Kin, Vista, hell if he wouldn't have brought in the Office guys, which were left over from Gates, to fix Vista and give him 7 he'd have had double OS flops!) you'd agree that MSFT just ain't that scary anymore. They are like IBM in the 80s, desperately try

Gates created a sclerotic company that cannot shoot straight. He succeeded because his monopoly was handed to him. Microsoft has never innovated anything. In the current environment, he'd be a failure..which is my suspicion as to why he gave up a boogied.

CERT publishes a good set. I've worked with some of the people behind them on some proposals for the C1X standard and they're very bright people. I'd trust their recommendations long before I'd trust ones from Microsoft.

No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.

Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get bet

It won't. Security is a process, not a condition, but people don't think naturally in those terms because it requires continuous effort (and ongoing expense.) Most people prefer to just make an initial investment in security and forget about it. Now, that works when you're talking about a bank vault, maybe, but not computer security.

First, software can be 100% secure only if it is 100% bug-free. And the only software you can be sure is absolutely bug free is a "hello world" running on an embedded device without operating system. Except, hardware/FPGA/microcode/firmware bug might be exposed through your "hello world", leading to potential security exploit, so scratch that.

Second, whenever you manage to make the software idiot-proof, nature develops a better idiot, who'll work around your puny artificial s

Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.

Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.

That doesn't cover valid input which triggers a bug.

Even defining "invalid or malicious input" to include "otherwise valid input that just happens to expose a bug in the code" doesn't help, because you don't know what you'd need to filter out (or if you did, better fix the bug).

Also, security is not just input, it's also output. All kinds of output. For example, there's a class of security exploits which depend on timing (mostly cryptography and authentication related). It's not enough that input is valid

Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?

Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?

Not all CC licenses are free software/open source. In particular, the license that Microsoft used is CC-BY-NC-SA. This is not a free or open source license. The problem is the NC clause -- NC means non-commercial. A non-commercial license does not satisfy the definition of free software or open source.

So could someone with some knowledge please actually READ the darned document and say something relevant about it?

To me it looks like common sense practices:

- Make the software so it could work without administration priviledges except for certain actions. It should work under UAC with a non administrative account. To me this makes sense. 90 % of all security problems in Windows > XP are gone once you don't work with administrative priviledges, IIRC.

Under some takes on this license, no for profit corporation (the idea is that everything such an entity does is by definition for profit) would be allowed to make use of the licensed work. And who will trust MS not to take such a view, now or at some point in the future once the damage is done...

This is not meant to be taken seriously, it's just PR so that non-technical folk see headlines like this in the news and think to themselves "Hmm, MS is leading an outreach to help others with security, they sure must know a lot if they're giving away all of this help and information and they must have a lot of confidence if they believe they can help their competition and it won't affect them!"

I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.

The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development

Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!

It's not even an open source license. The license is CC-BY-NC-SA 3.0. NC as in non-commercial. This license does not satisfy any reasonable definition of open source/free software.

Richard Stallman said that one of the reasons he opposes the CC licenses is because it's very easy for people to confuse the free CC licenses with the non-free CC licenses, and mistakenly think that a CC-licensed work is free when it's not free. I'm beginning to think that he's right.

I didn't say it was a good source, just an appropriate one. Most other dictionaries don't go into explanation about it, but it is implied by the definitions. "make use of" and "find a practical use for" doesn't really apply if you're just using something as it was intended. There is no use to "find" or "make" in that case.

If you like you can search Google for "use vs. utilize" and all of the top hits will be long explanations about it. I thought it more appropriate to link a dictionary, even if none of them

Besides the obvious jokes about Microsoft and security, the very serious question is what patents of theirs you could infringe by following their process and when they will sue you for it?

Probably never. Other operating system vendors could maybe learn from this, sure, but since most of them are already much farther along the security curve than Redmond has ever been, it won't matter. What this might do (assuming that it's sensible, and I've not read it so I don't know) is help Windows application developers write more-secure code, better avail themselves of Windows' existing security features. That's the real benefit to Microsoft, and there's no point in suing people coding for your platfor